P4CHAINS Vulnerabilities

P4CHAINS Vulnerabilities

P4CHAINS Vulnerabilities Review with Onapsis


Tue, 04/11/2023 – 13:44


Where the Risk from the Whole Is Greater than the Sum of Its Parts

On April 11, 2023, as part of the regular cadence of security patches, SAP released the patch for another security vulnerability identified by Pablo Artuso, part of Onapsis Research Labs, CVE-2023-28761. It may seem like business as usual in terms of security patches but let me explain why I believe it is not.

All vulnerabilities are important, and many organizations use different mechanisms to define the response time to apply security patches to address those vulnerabilities. While a more comprehensive approach such as SSVC is useful, in most cases, CVSS is the most important driver of the response time. 

CVE-2023-28761 itself has a CVSS v3 rating of 6.5, which maps to a MEDIUM criticality*, and organizations tend to patch these medium vulnerabilities with a lesser sense of urgency. However, here’s where it gets more interesting: this vulnerability can be exploited by remote unauthenticated attackers to ultimately abuse another set of more critical vulnerabilities that were already patched by SAP: 


Vulnerability Details



Security Note

SQL Injection and DoS in SearchFacade P4 Service




DoS and OS File Arbitrary read in locking P4 Service




RFC execution and Plain password leak in rfcengine P4 Service




SQL Injection and DoS in JobBean P4 service




Information Disclosure in Cache P4 service




Information Disclosure in Classload P4 service




Information Disclosure in Object Analyzing P4 service





So all in all, vulnerabilities that may have not been Internet-accessible, per se, might be exploited by an attacker, leveraging a vulnerability with a medium severity rating, ultimately turning the whole group of vulnerabilities into: 

  • Remotely exploitable
  • Unauthenticated 
  • Accessible through the HTTP protocol (potentially over Internet)
  • An elevated, critical impact to the system


Vulnerability Chaining

The action of combining vulnerabilities (but more importantly exploits) is known as exploit chaining and is not a new tactic for sophisticated threat actors. Frequently, in the past, the Onapsis Research Labs has reported our observations of attackers using various vulnerabilities to achieve different objectives with the ultimate goal of compromising the business data.  

Because of the significant opportunity for a threat actor to chain together this family of vulnerabilities to ultimately achieve broader, more critical impact, the Onapsis Research Labs is collectively referring to this family of CVE(s) as “P4CHAINS,” which includes all of the CVE(s) that were aforementioned in this blogpost. 


Next Steps to Protect Against P4CHAINS

The fact that exploit chaining these vulnerabilities is highly possible by an attacker to achieve a deeper level of compromise of business applications highlights the need for continued vigilance of vulnerabilities and their corresponding Security Notes, when released, to guide response on a month-by-month basis. In isolation, the impact from CVE-2023-28761 is low, but the potential for risk to elevate is higher due to the possibility of combining and chaining this vulnerability with the larger P4CHAINS family.  

If nothing else, P4CHAINS more importantly (and more simply) highlights 

  1. It is important to apply patches
  2. It is important to apply patches timely 
  3. It is important to apply patches timely across all applications

In many cases, the CVSS rating of vulnerabilities is a useful metric. However, bear in mind that these ratings are not absolute guideposts, and it is critical for organizations to have access to timely threat intelligence to better understand what is being exploited, what types of risks should be addressed with a higher priority than usual, and, ultimately, how to best prioritize your team’s precious time and workload. Otherwise, we end up with a risk from the whole that is significantly greater than the sum of its parts. 

April 2023 Patch Tuesday Threat Briefing - P4CHAINS Vulnerabilities

Our team will also be hosting a series of threat briefings–learn more and register here.



*  Common Vulnerability Scoring System v3.1: Specification Document

*** This is a Security Bloggers Network syndicated blog from authored by ltabo. Read the original post at: